Imagine a web page where various forms of data are coming back to be displayed. It is an analytics type UI scenario. In one part of the display, there is the need to display "web data" - that can be anything... SVG, html, .pdf, etc. There is also the need to thumbnail the display of that data until someone selects it and expands it into view.
Currently the way it is displayed is in a IFrame... Should be reasonably safe, right? Well because some of that data may come from internally generated sources, they are required to turn on both allow-same-origin and allow-scripts... virtually enabling a break out anytime anything wants.
right?
So is there a way to safely put variable content into a web UI display element that might be malicious, and run it, while also not disabling trusted content?
I won't know in advance exactly what is going into the display element, what its source/provenance, and whether it is trusted or untrusted.
I am thinking this is an albatross - but it seems like google and some other sites have to deal with this as well??
Aucun commentaire:
Enregistrer un commentaire